From aa559a3f687e2d83345195913f8332f1ecf978bc Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Tue, 29 Oct 2024 18:41:55 +0100
Subject: [PATCH] Return nil unless santitised string matches original.

---
 .../views/tokens/instance/overview_view.ex         |  9 ++++++++-
 .../views/tokens/instance/overview_view_test.exs   | 14 ++++----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
index ba62117bd6a3..5639165441b7 100644
--- a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
+++ b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
@@ -102,7 +102,14 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewView do
 
   def external_url(nil), do: nil
 
-  def external_url("http" <> _rest = external_url), do: external_url
+  def external_url("http" <> _rest = external_url) do
+    sanitised = external_url |> html_escape() |> safe_to_string()
+    if sanitised != external_url do
+      nil
+    else
+      external_url
+    end
+  end
 
   def external_url(string) when is_binary(string), do: external_url(nil)
 
diff --git a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
index d995753d0fbd..6eea1bedb250 100644
--- a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
+++ b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
@@ -139,16 +139,9 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do
     end
 
     test "does not return html escape" do
-      json = """
-        {
-          "name": "CELO XSS",
-          "image": "https://0-a.nl/nft/nft.jpg",
-          "description": "CELO XSS",
-          "external_url": "https\" id=x tabindex=1 onfocusin=eval(atob('KGZ1bmN0aW9uKCl7d2luZG93LmV0aG'))"
-        }
-      """
-
-      data = Jason.decode!(json)
+      data = %{
+        "external_url" => "https\" id=x tabindex=1 onfocusin=eval(atob('KGZ1bmN0aW9uKCl7d2luZG93LmV0aG'))"
+      }
 
       result = OverviewView.external_url(%{metadata: data})
 
@@ -170,6 +163,7 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do
       result = OverviewView.external_url(%{metadata: data})
 
       assert String.starts_with?(result, "http"), "Valid url should be returned"
+      assert result == "https://happyland.nft"
     end
   end
 end